Re: [Acme] Issuing certificates based on Simple HTTP challenges
Julian Dropmann <julian@dropmann.org> Mon, 14 December 2015 17:04 UTC
Return-Path: <julian@dropmann.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F9481ACD96 for <acme@ietfa.amsl.com>; Mon, 14 Dec 2015 09:04:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7u1PJoXmg1Cs for <acme@ietfa.amsl.com>; Mon, 14 Dec 2015 09:04:11 -0800 (PST)
Received: from mail-lb0-x236.google.com (mail-lb0-x236.google.com [IPv6:2a00:1450:4010:c04::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 118511ACD81 for <Acme@ietf.org>; Mon, 14 Dec 2015 09:03:57 -0800 (PST)
Received: by lbpu9 with SMTP id u9so103769477lbp.2 for <Acme@ietf.org>; Mon, 14 Dec 2015 09:03:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dropmann.org; s=dkim1; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=rG4s+P5ettzsae5JEsSmiR7wbHrNWayokVvqcp2jtHU=; b=KzW4fnuxAiUILYvkrgMpMhb+SGhwY6VrTprQ//x7qB1jkpk4uN0VGdWytyHL7PZlUj 3WJhjwkDm6jx0h3Lvdo/LZ4YFkCFLBTR0wRCja36ZB49VxwIae0IPOTB3Rk29PJffi6Y 0jrjrMX6mkczmplz/i7q7Y9nMdjWMZDQ4/FCE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=rG4s+P5ettzsae5JEsSmiR7wbHrNWayokVvqcp2jtHU=; b=LQl7vfXLS9ybllOTQQFrpuywJo4b/BA/OiOJ4Q6TmGW69ZmKJsnMKnb/bBAnKMEjtM SwS5T0f7gm/mIFYGrSJJrfg2ho8fyNiv9jHrt7TZMPZd7w7HhRRPYkyCh0JMBmtZjcYX VZnqWq/r6t+Ddzc6wXuwiXdl5y++U7ynDa+KGb9To4o4ifpZqE2e8yM1HpmTXi2WU4PE V3+HkdA13wDrlpkCNasf4/CkfJ2v4aRrZMpft3DpOxowhbY0CZL0gB2kat5oEEXXPA4Q x48oGM5/LsJelnXyZQI+5+ZONIZSHF5vrVoD35XHnLop7a5D6Z3aIab3O7u99jG7p9fc df/w==
X-Gm-Message-State: ALoCoQkiMfR5GjjM0RRmnoWJ0SFgryd5z9jJNXidGJKCijaLQ9SxT4Dc7Hm+vNHv59SWG1xiI9rUix3KW2S553yKevg/asLjTw==
MIME-Version: 1.0
X-Received: by 10.112.120.212 with SMTP id le20mr11601434lbb.134.1450112635179; Mon, 14 Dec 2015 09:03:55 -0800 (PST)
Received: by 10.25.39.2 with HTTP; Mon, 14 Dec 2015 09:03:55 -0800 (PST)
X-Originating-IP: [62.154.225.234]
In-Reply-To: <566EF51E.2080907@moparisthebest.com>
References: <CAF+SmEpOLoaREymVhi=qOUg2opz1vKzzNp6tGrDTZAjYSKFDkg@mail.gmail.com> <3071e2d95eaf49acac00e91d3626ccfa@usma1ex-dag1mb1.msg.corp.akamai.com> <CAF+SmEo_s8svTgwvBPqqHyhKFKCt5e-3kSpZK2dUAqapzzORiw@mail.gmail.com> <566EF51E.2080907@moparisthebest.com>
Date: Mon, 14 Dec 2015 18:03:55 +0100
Message-ID: <CAF+SmEoxjAtaa6D=cLRs-LtmztH63jCx=MuhYTAvEFHaTjb5vg@mail.gmail.com>
From: Julian Dropmann <julian@dropmann.org>
To: Acme@ietf.org
Content-Type: multipart/alternative; boundary="047d7bfcf5b4813aed0526dea8f8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/-3a7CTxENYDXdcnu5zCzfQZtsbg>
Subject: Re: [Acme] Issuing certificates based on Simple HTTP challenges
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2015 17:04:14 -0000
On Mon, Dec 14, 2015 at 5:58 PM, moparisthebest <admin@moparisthebest.com> wrote: > On 12/14/2015 11:53 AM, Julian Dropmann wrote: > > > > >This effectively means, as a domain zone admin, I have to trust > every single service I define, not just to properly deliver this service, > but also not to exploit his ability to obtain signed certificates in my > name. > > > > Yes. > > > > > > And you are perfectly aware, that this was not the case before > > ACME-enabled CAs existed, and now applies to every single domain admin > > on this planet, right? > > It always applied before as well. In your example, your malicious blog > hoster could have just hosted un-encrypted xmpp on the default port as > well and xmpp clients that don't support SRV (which probably don't > exist? it's in the original RFC) would just happily connect there as > well, right? > Sure, they were able to provide malicious services under that domain, but not with a valid certificate. I think this is still a major difference.
- [Acme] Issuing certificates based on Simple HTTP … Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… moparisthebest
- Re: [Acme] Issuing certificates based on Simple H… Ilari Liusvaara
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Ilari Liusvaara
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Peter Bowen
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Kim Alvefur
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Kim Alvefur
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Richard Barnes
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Richard Barnes
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Noah Kantrowitz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Salz, Rich
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Julian Dropmann
- Re: [Acme] Issuing certificates based on Simple H… Peter Bowen
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Michael Wyraz
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Phillip Hallam-Baker
- Re: [Acme] Issuing certificates based on Simple H… Stephen Farrell